Home > Articles > Software Development & Management

This chapter is from the book

An Imperfect Legal Mandate

In many industries, the dictates of common sense and audit requirements are supplemented by legal mandates for disaster recovery planning. The U.S. government has enacted legislation or issued regulations that require a broad range of contingency planning and related activities to be undertaken by businesses. A partial list of these provisions is provided in Table 1–2. In addition, many states are currently deliberating legislation pertaining to contingency planning, and some, including Florida and Maryland, have already passed laws requiring demonstrated disaster recovery capabilities for certain industry segments. Readers are urged to consult a lawyer specializing in computer and business law to determine the requirements that pertain in their respective states.

Federal mandates for disaster recovery planning affect various industry segments unevenly. Financial institutions, particularly those participating in the various components of the federal banking system, must comply with a well-rooted regimen of regulations on DR.

National banks, for example, must comply with Comptroller of the Currency Banking Circulars and Federal Financial Information Examination Council (FFIEC) guidelines that require them to develop means to reduce the impact and/or risk of losing IT support for business-critical applications.

In many cases, bank management is made directly responsible for determining critical functions at the bank, assessing the risk and potential impact of a loss of IT support for those functions, and developing plans to reduce the risk and/or impact of such a loss. Moreover, boards of directors are obligated to review the plans of bank management annually, approve them, record their approval in the board minutes, and provide the minutes for review by the bank examiners. The intent is to make both the board and bank management legally liable for a bank failure arising from inadequate preparation for an IT outage.

Other banking regulations extend management accountability for disaster recovery planning to include the performance of service bureaus. Banks using service bureaus to process information are required to investigate the financial condition of their servicers annually and to develop alternate processing strategies if the servicer's financial condition is deteriorating or unsound. They are also required to prepare their own contingency plans for mitigating exposure to a failure of the service bureau's processing capability.

Table 1–2 Partial Business Recovery Regulatory Profileb

Regulation

Industry

Description

Comptroller of Currency  BC-177 (1983, 1987)

Banking

Amended since original in 1983; requires  banking institutions to develop and maintain Business Recovery Plans

Federal Home

Banking

Follows intent of BC-177

Loan Bank Bulletin R-67 Inter-Agency Policy from Federal Financial Institutions Examination Council (FFIEC—1989, 1996)

Banking and any related service bureaus

Requires business-wide data and IT protec ion planning for banking institutions and extends regulation to require contingency plans from any service bureaus or outsourcing companies which service such banks.

Financial Institution Letter from Federal Financial Institutions Examination Council(FFIEC—1997)

FDIC Supervised Banks

Emphasizes to the board of directors and senior management the importance of corpo rate data protection functions, also addresses issues that management should consider when developing a viable IT security plan

Fair Credit Reporting Act

Reporting Agencies

Ensures credit information is accurate and up-to-date

Foreign Corrupt Practices Act (1977) IRS

Cross-Industry

Management accountability through record keeping

Procedure 86-19

Cross-Industry

Legal requirements for protecting computer records containing tax information

IRS Procedure 97-22, Cumulative Bulletin 1997-1

Cross-Industry

Compliance requirements for electronic storage systems used to maintain record keeping information

IRS Procedure 98-25, Internal Revenue Bulletin 1998-11

Cross-Industry

Requirements for documentation of machine- readable record keeping system processes

Federal Response Planning Guidance (1994) FRPG 01-94

Federal depart ments and agen cies

Outlines responsibilities and objectives of data protection planning

GAO/IMTEC-91-56

Financial

Security guidelines for stock markets

Financial Markets:

Computer Security Controls

Gramm-Leach-Bliley Act of 1999

Financial

Requirements for guaranteeing information privacy and security

Health Insurance Portability and Accountability Act

Healthcare

Requires adequate provisioning for health information privacy and security

of 1996 (HIPAA) Accreditation Manual for Hospitals (1994)

Healthcare

Guidelines for information management including security

Clinical Laboratory Information Act (1988)

Healthcare

Specifies requirements protection of critical laboratory data


The focus of federal regulators on the disaster preparedness of financial institutions in particular originated in the wake of an actual disaster. Following a computer failure at the Bank of New York in 1985, senior officials of the bank were summoned to appear before a Congressional investigating committee that, at one point in its hearings, considered the possibility of removing senior managers from their positions for not adequately preparing for a disaster.8

Bank of New York, reputedly the state's largest broker for government securities, experienced an IT outage that lasted approximately 27 hours. To continue operations, the bank was forced to borrow $22 billion from the discount window of the Federal Reserve Bank. It did so at an interest rate well below prime. The huge loan briefly destabilized the weighted rate of federal funds and cost the bank (or its insurer) $4 to $5 million in interest.9 While Congress did not remove management in this case, the Federal Reserve did issue a circular that set the rate for borrowing in the face of an IT failure at prime plus two.

Not all federal regulations are reactive, however. In the late 1990s, the Year 2000 (Y2K) problem focused the attention of some regulators on corporate contingency planning as a proactive measure—a hedge against widespread economic calamity.

The Securities and Exchange Commission (SEC), for example, required all publicly held companies to disclose the details of their Y2K remediation projects, including contingency plans, as part of their SEC filings. Presumably, this requirement was intended to pressure companies to deal with their Y2K vulnerabilities by making the status of their preparedness a matter of public record.

The regulation cajoles companies to perform Y2K remediation by providing prospective investors with an additional criterion for making investment decisions. It may also provide a basis for shareholder lawsuits in the wake of Y2K outages if false claims are made by companies about their preparedness.

The regulation further incites companies to remediate their application code or risk being dropped as suppliers by business customers who depend upon their products within their own supply chains. As the 1990s drew to a close, many companies were actively reviewing their supply chain providers and selecting new, Y2K-ready providers for critical supply sources.

The close attention paid to the disaster preparedness of the financial industry (and to Y2K remediation across all industries) by federal lawmakers and regulators is not indicative of a comprehensive DR planning mandate, however. In many cases, disaster recovery planning requirements must be interpreted from legal language pertaining to recordkeeping requirements.

The Foreign Corrupt Practices Act of 1977, for example, requires only indirectly that companies undertake contingency planning. The post-Watergate-era legislation was conceived as a mechanism for prosecuting companies that routinely used bribes to obtain business advantage in foreign markets. However, the recordkeeping provisions of the law are sweeping and have been adopted by the SEC and applied to all publicly held companies.

The recordkeeping provisions of the Act require companies to keep and safeguard records that clearly indicate how their assets are used. The original intent was to eliminate vaguely labeled accounting entries, such as "slush funds," which investigators found were often used to disguise bribery payments. According to the legislation, any accounting system that fails to indicate clearly how money is disposed of violates the Act. The SEC has since used the Act in several cases to prosecute wrongdoers who have not engaged in bribery of foreign officials, but whose actions technically violate the Act's accounting requirements (much like the federal government has used tax laws to prosecute organized crime figures whose "real" crimes cannot be proven).10

The Foreign Corrupt Practices Act pertains to any company using manual or computerized ledger, accounts receivable/accounts payable, or other accounting systems. Under the law, a business must take measures to guarantee the security and integrity of its recordkeeping system—a provision that has been widely interpreted as a requirement to undertake contingency planning. The Act further provides the means to prosecute individual managers and corporate executives who fail to comply with the Act. By legal extension, management can be prosecuted for failing to plan adequately for recordkeeping system recovery following a disaster.

Individual fines of up to $10,000, 5 years in prison, and corporate penalties of more than $1 million have been established. To date, however, no penalties have been exacted under the provisions of this law against companies or their executives simply for failing to develop disaster recovery plans.

Another government regulation, from the Office of Management and Budget, requires government agencies to take adequate measures to safeguard the operations of their IT processing facilities. This rule has been interpreted to extend to government contractors and subcontractors and is being rigidly enforced as a matter of national defense. Proponents of the regulation argue that because the design and production of military equipment and other contracted goods are being conducted or controlled using computer systems, the inadequate safeguarding of these systems represents an economic and military threat to the security of the United States. Plans must be made by federal contractors and subcontractors to ensure the availability and integrity of these systems.

The assignment of the ultimate responsibility—in legal terms—for the protection and preservation of corporate assets to corporate management has precedents. The Internal Revenue Service (IRS), for example, has articulated a number of strict rules pertaining to secure storage of business records. Management is often liable if IRS rules have not been observed and the records are lost.

For example, IRS Procedure 64-12 requires that recorded and reconstructable data be maintained in accordance with the Internal Revenue Code of 1954 and that program and source documentation be securely stored so that an audit trail from source documents to final accounting balances and totals may be demonstrated in the event of an IRS audit.11 IRS Ruling 71–20 goes further to describe the requirements for retaining and safeguarding machine-readable records (including punched cards, disks, and other machine-sensible data media) that may become material in the administration of any IRS law.12 Corporate officers are subject to penalties if these rulings and regulations are not observed.

Besides making provisions for disaster recovery and secure storage of data, the U.S. government further requires all businesses to safeguard the health and safety of employees and to refrain from activities that could harm the community in which facilities are located. The Occupational Safety and Health Administration (OSHA) and the Environmental Protection Agency (EPA) have issued enforceable codes and regulations aimed at "disaster avoidance" that make company management prosecutable if avoidable disasters occur.13 At the state level, numerous agencies and departments have followed the federal government's lead with fire, building, and emergency management codes that impact on disaster avoidance and recovery planning.14

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020